The NIS2 Directive (Network and Information Systems Directive 2) reshapes the European cybersecurity landscape by dramatically expanding the number of organizations in scope. Where NIS1 covered roughly 1,000 entities in Belgium and 1,500 in France, NIS2 now captures 20,000 to 100,000 entities per major member state. Understanding whether your organization qualifies as an essential entity or an important entity is the first step — and it changes everything about your obligations.
The NIS2 framework
Published in the Official Journal on 27 December 2022 (Directive (EU) 2022/2555), NIS2 required transposition by all EU member states by 17 October 2024. In practice, transposition has been staggered: France enacted its REN Act (Resilience of Activities of Vital Importance) on 30 April 2025, Belgium transposed via the NIS2 Act of 26 April 2024, effective 18 October 2024.
The binary essential/important classification stems from two cumulative criteria: entity size and sector of activity.
The two key criteria: size + sector
For an organization to fall under NIS2, it must simultaneously:
- Operate in a sector listed in Annex I or Annex II of the directive
- Exceed the medium-enterprise thresholds (50+ employees or €10M+ annual turnover or €10M+ balance sheet)
Below these thresholds, the directive does not apply — except for specific exceptions (DNS service providers, TLD registries, qualified trust service providers, central public administrations, etc., automatically covered regardless of size).
Essential entities (Annex I)
Essential entities operate in highly critical sectors listed in Annex I of the directive. Being essential means enduring the strictest form of supervision.
The 11 Annex I sectors
| Sector | Example entities |
|---|---|
| Energy | Electricity, oil, gas, hydrogen, district heating/cooling |
| Transport | Air, rail, water, road |
| Banking | Authorized credit institutions |
| Financial market infrastructures | Trading venues, central counterparties |
| Health | Hospitals, labs, critical medical device manufacturers, pharmaceutical production |
| Drinking water | Drinking water suppliers and distributors |
| Waste water | Collection, discharge, treatment |
| Digital infrastructure | Internet exchange points (IXPs), DNS providers, TLD registries, cloud computing providers, data centers, CDNs, trust services, public electronic communications networks and services |
| ICT service management B2B | Managed service providers (MSPs), managed security service providers (MSSPs) |
| Public administration | Central entities (mandatory); regional (optional by member state) |
| Space | Ground infrastructure operators supporting space services |
"Essential" qualification threshold
To be essential, you must be in an Annex I sector AND exceed large enterprise thresholds:
- Over 250 employees, OR
- Annual turnover above €50M, OR
- Annual balance sheet above €43M
Automatic exceptions exist regardless of size: qualified trust service operators, DNS providers, TLD registries, central administrations, entities identified as "critical" under the CER directive (Critical Entities Resilience), and unique entities within a member state.
Important entities (Annex II)
Important entities operate in also-critical sectors but face lighter supervision (reactive supervision, not proactive like for essentials).
The 7 Annex II sectors
| Sector | Example entities |
|---|---|
| Postal and courier services | Postal operators, parcel delivery providers |
| Waste management | Collection, treatment, recycling |
| Manufacture, production and distribution of chemicals | Chemical industry (REACH) |
| Production, processing and distribution of food | Food wholesalers, large-scale agri-food industry |
| Manufacturing | Medical devices, computer/electronic/optical products, electrical equipment, machinery, motor vehicles, other transport equipment |
| Digital providers | Online marketplaces, search engines, social networking platforms |
| Research | Research organizations (optional by member state) |
"Important" qualification threshold
To qualify as important, you must operate in:
- An Annex II sector + exceed medium enterprise thresholds (50+ employees OR €10M+ turnover/balance sheet), OR
- An Annex I sector without reaching large enterprise thresholds (but exceeding medium enterprise thresholds)
In other words, an SME in the energy sector (75 employees, €12M turnover) will be important — not essential. A large food distributor (500 employees, €200M turnover) will also be important because its sector is Annex II, never essential.
Why classification matters — 5 major differences
The essential/important distinction is not cosmetic: it determines supervision, sanctions, and operational obligations.
1. Ex ante vs ex post supervision
- Essential: proactive supervision — the competent authority can audit, inspect, demand information at any time, without prior suspicion of incident.
- Important: reactive supervision — the authority only intervenes after an incident or a report of suspected infringement.
This is the most consequential difference in practice. An essential entity must be ready to be audited at any time; an important entity can be more reactive.
2. Fine ceilings
- Essential: up to €10M or 2% of annual worldwide turnover (higher of the two)
- Important: up to €7M or 1.4% of annual worldwide turnover (higher of the two)
For a multinational, this means a direct difference of millions of euros in case of major breach.
3. Personal liability of management
Both categories place personal liability on management (CEO, board members) for cyber risk management measures. In the most serious cases, the directive allows member states to temporarily ban certain executives — including as administrators or legal representatives — for essential entities with repeated failures.
4. Registration and notification
Both categories must:
- Register with the national competent authority (ANSSI in France, CCB in Belgium)
- Notify significant incidents within strict deadlines (see our NIS2 incident notification 24h/72h/1-month guide)
- Voluntarily share cyber threat information
But the forms, frequencies, and evidentiary requirements are heavier for essentials.
5. Supply chain compliance requirements
NIS2 introduces a principle of chain responsibility: an essential entity must assess and document cyber risks of its critical suppliers. In practice, this means that even if your company is not directly covered by NIS2, your essential customer will require equivalent guarantees from you.
The 10 mandatory measures — identical for both categories
Article 21 of NIS2 imposes 10 minimum measures for cyber risk management, mandatory for both essential and important entities:
- Policies on risk analysis and information system security
- Incident management (prevention, detection, response)
- Business continuity (backup, disaster recovery, crisis management)
- Supply chain security
- Security in acquisition, development and maintenance of systems
- Measures to assess effectiveness (audit and testing policy)
- Basic cyber hygiene practices and cybersecurity training
- Policies and procedures regarding cryptography (including encryption)
- Human resources security, access control policies and asset management
- Multi-factor authentication, secure communications, emergency communications
Implementation depth varies by criticality, but all 10 measures apply. For essential entities, each measure must be documented with evidence; for important entities, a pragmatic demonstration may suffice.
How to identify your status in 5 steps
Here's a practical method:
- List your activities — What is your primary business classification code? What is your main production?
- Cross-reference with Annexes I and II — Does your activity match one of the 18 listed sectors? For mixed activities, the activity representing more than 10% of turnover counts.
- Measure your size — Headcount + turnover + balance sheet. Calculate per EU Recommendation 2003/361/EC (micro, small, medium, large enterprise).
- Apply the grid
- Annex I + large enterprise → essential
- Annex I + medium enterprise → important
- Annex II + medium or large enterprise → important
- Outside thresholds → not in scope (except automatic exceptions)
- Check automatic exceptions — Qualified trust service providers, DNS providers, TLD registries, central administrations: you are covered regardless of size.
When in doubt, consult your national authority (ANSSI in France, CCB in Belgium). For detailed Belgian-scope resources, see our partner site mise-en-conformite-nis2.be.
Practical cases: 4 classification scenarios
Scenario 1 — Regional bank (580 employees, €120M turnover)
- Sector: Annex I (Banking)
- Size: large enterprise
- Result: essential
Scenario 2 — E-commerce SME (30 employees, €4M turnover)
- Sector: Annex II (online marketplace)
- Size: small enterprise below thresholds
- Result: not in scope — but recommended to apply NIS2 best practices proactively, especially if you serve essential customers
Scenario 3 — Public hospital (3,500 employees, €450M budget)
- Sector: Annex I (Health)
- Size: large enterprise
- Result: essential
Scenario 4 — Medical device manufacturer (150 employees, €25M turnover)
- Sector: Annex II (medical device manufacturing) AND Annex I (if considered health-linked)
- Size: medium enterprise
- Result: important (often interpreted as Annex II for manufacturers that are not healthcare operators)
What to do now
For essential entities
- Appoint a CISO and an NIS2 point of contact (explicit designation obligation)
- Register with the national authority (registration deadlines already passed in most member states)
- Implement the 10 Art. 21 measures with documented evidence
- Establish an incident notification plan (early warning 24h + report 72h + final report 1 month)
- Test your plans with annual crisis exercises
For important entities
- Implement the 10 measures — same level, more pragmatic approach
- Document your security posture to respond to reactive controls
- Register with the national authority
- Train your teams on incident recognition and notification
Our ResiPlan BCMS solution centralizes NIS2, DORA, ISO 22301, and NIST CSF compliance in a single tool. To get started, try ResiPlan free for 14 days.
Conclusion
The essential vs important distinction determines severity of controls, sanctions, and documentary depth expected. It does not determine the functional scope of the 10 mandatory measures: those apply to both categories.
For organizations still hesitating on their qualification, the prudent rule is to align your posture with essential requirements. This protects against classification changes (your revenue may cross thresholds from year to year), secures your value chain (your essential customers will expect this level from you), and prepares for the likely arrival of NIS3 in the 2030s.
For further reading, check our complementary resources: